Which direction is your business going?
This ISO 22301:2019 Business Continuity Management System (BCMS) self-assessment will assess your business readiness.
By completing this self-assessment questionnaire your results will allow you to self-assess your business and identify what areas needed to be implemented or improved.
BMS can assess your overall score and tell you which direction your business is going.
If any of these self-assessment questions are answered with a "NO", BMS can assist you in in changing it to a "YES".
Context of the Organization:
(Yes) (No) Have the external and internal issues that affect the BCMS been determined?
(Yes) (No) Has your organization identified and documented its activities, products and services and relationships, and the potential impact of a disruptive
event on them?
(Yes) (No) Has the context been defined, in terms of objectives, risk criteria and appetite, and the purpose of the BCMS?
(Yes) (No) Have the interested parties and their requirements been identified?
(Yes) (No) Is there a procedure to identify, document and communicate applicable legal and regulatory requirements?
(Yes) (No) Does the BCMS take the applicable legal and regulatory requirements into account?
(Yes) (No) Has the scope of the BCMS been determined and documented?
(Yes) (No) Have exclusions to the scope been documented and explained?
(Yes) (No) Is a BCMS in place and being continually improved?
(Yes) (No) Does top management demonstrate leadership with respect to the BCMS?
(Yes) (No) Is top management commitment evidenced by actions such as providing resources, communicating effectively and setting objectives?
(Yes) (No) Has top management allocated responsibility for the BCMS and assigned other relevant BCMS roles?
(Yes) (No) Is a documented business continuity policy in place?
(Yes) (No) Does it set objectives for the BCMS?
(Yes) (No) Does it commit to your organization to satisfying requirements and continually improving the BCMS?
(Yes) (No) Is it adequately communicated and reviewed?
(Yes) (No) Are roles, responsibilities and authorities for the BCMS defined, allocated and communicated?
(Yes) (No) Does the plan for the BCMS take into account the relevant issues and requirements?
(Yes) (No) Are all of the relevant risks and opportunities determined?
(Yes) (No) Are actions planned to address the identified risks and opportunities?
(Yes) (No) Have measurable business continuity objectives been established and communicated?
(Yes) (No) Is there a plan to achieve the defined business continuity objectives?
(Yes) (No) Is success against the objectives reviewed and updated regularly?
(Yes) (No) Are changes to the BCMS carried out in a planned manner?
(Yes) (No) Are BCMS resources determined and provided?
(Yes) (No) Are all of the relevant people sufficiently competent to perform their roles?
(Yes) (No) Where necessary, is action taken to improve competence and are records kept?
(Yes) (No) Are all relevant people aware of the business continuity policy and their role during disruptive incidents?
(Yes) (No) Is effective internal and external communication in place?
(Yes) (No) Is the availability of communication assured during a disruptive incident?
(Yes) (No) Is all of the documented information required by the standard in place?
(Yes) (No) Are standards used for documentation such as titles, references, format, review and approval?
(Yes) (No) Is the lifecycle of documented information controlled, including that from outside the organization?
(Yes) (No) Is documented information adequately protected?
(Yes) (No) Are all of the processes needed to meet requirements planned, implemented and controlled?
(Yes) (No) Are planned changes controlled and the consequences of unplanned changes mitigated?
(Yes) (No) Are outsourced processes identified and controlled?
(Yes) (No) Is a formal and documented process in place for business impact analysis and risk assessment?
(Yes) (No) Are continuity and recovery priorities, objectives and targets determined using a formal and documented process?
(Yes) (No) Are business continuity risks identified, analyzed, evaluated and treated in an appropriate and timely way?
(Yes) (No) Have appropriate business continuity strategies been identified?
(Yes) (No) Have alternative strategies been identified based on relevant criteria, such as timeframes and impact?
(Yes) (No) Has the selection of appropriate strategies been based on the identified requirements, risk appetite and cost/benefit profile?
(Yes) (No) Are the resources required for the selected business continuity strategies identified?
(Yes) (No) Are the business continuity solutions implemented and available for activation when required?
(Yes) (No) Are appropriate business continuity procedures in place to manage a disruptive incident?
(Yes) (No) Are the procedures specific, flexible, prioritized and effective?
(Yes) (No) Is a management structure defined to respond to a disruptive incident?
(Yes) (No) Is the response structure supported by appropriate procedures, resources and communication methods?
(Yes) (No) Are your procedures in place to detect, monitor and record vital information about an incident?
(Yes) (No) Are your procedures in place for internal and external communication during an incident?
(Yes) (No) Are your procedures regularly exercised?
(Yes) (No) Do business continuity plans contain all of the information for details of the actions that teams will take in order to continue or recover prioritized activities in predetermined time frames and monitor the impact of the disruption and the organization’s response to it?
(Yes) (No) Does the structure of each business continuity plan followed and include the purpose, scope and objectives? The roles and responsibilities of the team that will implement the plan? And actions taken to implement the solutions? That the supporting information needed to activate (including activation criteria),
operate, coordinate and communicate the team’s actions. Does the plan include internal and external interdependencies? And the resource and reporting
(Yes) (No) Are documented procedures in place to return to normal working after an incident?
(Yes) (No) Is a business continuity exercising and testing plan and schedule in place?
(Yes) (No) Are all plans tested sufficiently to ensure their successful use in an incident?
(Yes) (No) Are regular evaluations of business continuity procedures carried out, using a variety of appropriate methods?
(Yes) (No) Are post-incident reviews carried out to identify improvements?
(Yes) (No) Is it clearly defined what needs to be monitored and measured to determine the effectiveness of the BCMS?
(Yes) (No) Are the methods for monitoring, measurement, analysis and evaluation clearly defined and the results documented?
(Yes) (No) Are actions taken when monitoring shows up adverse trends?
(Yes) (No) Are appropriate internal audits being carried out by suitably qualified and impartial people?
(Yes) (No) Are the audit results being communicated to management so that action can be taken?
(Yes) (No) Are documented management reviews being held regularly?
(Yes) (No) Do the management review input topics cover i.e. status of actions from previous management review’s? Changes in external / internal issues?
Information on trends in nonconformance's and corrective actions? Trends in monitoring / measurement evaluation and audit results?
Feedback from interested parties? The need for changes in the BCMS, including policy / objectives? Procedures / resources that could be used in
organization to improve the BCMS’s performance and effectiveness? The information from the business impact analysis / risk assessment?
The output from evaluation of business continuity documentation / capacities? The risks or issues not adequately addressed in previous risk assessments?
The lessons learned / actions arising from near-misses / disruptions? The opportunities for continual improvement?
(Yes) (No) Do the management review outputs topics cover i.e. variations to the scope of the BCMS? Updates of the business impact analysis, risk assessment, business \ continuity strategies and solutions, and business continuity plans? Modifications of procedures / controls to respond to internal / external issues
that may impact the BCMS? How the effectiveness of controls will be measured? Are results of the management review communicated to relevant interested parties?
Does the organization take appropriate action relating to those results?
(Yes) (No) Are nonconformities being identified, documented, evaluated and addressed?
(Yes) (No) Is the effectiveness of corrective actions reviewed and the BCMS changed if necessary?
(Yes) (No) Is the BCMS being continually improved?